b"         Audit of the State Wage Match Data Transmission Controls \n\n                       Report No. 07-04, March 28, 2007 \n\n\n                                INTRODUCTION \n\n\nThis report represents the results of the Office of the Inspector General\xe2\x80\x99s (OIG)\naudit of the state wage match data transmission controls.\n\nBACKGROUND\n\nThe Railroad Retirement Board\xe2\x80\x99s mission includes an unemployment-sickness\ninsurance benefit program for railroad workers under the Railroad Unemployment\nInsurance Act. This program provides temporary unemployment and sickness\nbenefits to qualified railroad workers. During fiscal year ending September 30,\n2006, about 28,000 unemployment and sickness claimants received\napproximately $73 million in benefits.\n\nThe Railroad Retirement Board (RRB) has developed integrity programs to\nidentify new information or verify existing information relevant to determining\ninitial or continuing eligibility and entitlement to benefits. These programs are\ncrucial to ensure that the RRB pays benefits in the correct amount to eligible and\nentitled beneficiaries and to detect fraud and abuse. One of these programs,\nreferred to as the \xe2\x80\x9cState Wage Matches,\xe2\x80\x9d involves matching data with the states\nand other matching participants.\n\nThe RRB has computer matching agreements with 49 states and the District of\nColumbia. The Office of Programs conducts the state wage matches with the\nmajority of these participants by generating IBM cassette tapes containing the\nSocial Security Numbers (SSNs) of railroad employees who received\nunemployment and sickness benefits. The RRB sends the IBM cassette tapes to\nthe matching participants to detect instances in which railroad employees\nreceived unemployment or sickness benefits for days on which they also worked\nin non-railroad employment, or for which state unemployment benefits were paid.\nThe RRB occasionally matches data with the State of Hawaii and the\nCommonwealth of Puerto Rico by mailing paper documents to them. The\nmatching participants provide the RRB with the results of their matches. The\nresults generally include names, SSNs, earnings, state benefits, and employer\ninformation. The RRB reimburses the matching participants for their actual costs\nof performing the matches. The Office of Programs conducts the state wage\nmatches twice a year except for quarterly matches with the state of New York. In\nsome cases, the RRB\xe2\x80\x99s field offices verify the accuracy of the match results. The\nOffice of Programs refers some cases to the Office of Inspector General for\ninvestigations when fraud is suspected.\n\nInformation which can be linked to an individual is referred to as personally\nidentifiable information (PII) by the United States Office of Management and\n\n\n\n                                         1\n\n\x0cBudget (OMB). The OMB has defined PII as follows: \xe2\x80\x9cPersonally Identifiable\nInformation means any information about an individual maintained by an agency,\nincluding, but not limited to, education, financial transactions, medical history,\nand criminal or employment history and information which can be used to\ndistinguish or trace an individual's identity, such as their name, social security\nnumber, date and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc.,\nincluding any other personal information which is linked or linkable to an\nindividual.\xe2\x80\x9d\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe OIG performed this audit to determine the adequacy of the state wage match\ndata transmission controls for ensuring the security of state wage match data.\nThe OIG accomplished the audit objective by:\n\n   \xe2\x80\xa2\t interviewing responsible management and staff;\n   \xe2\x80\xa2\t assessing RRB data transfer controls including the safeguarding of state\n      wage match data tapes; and\n   \xe2\x80\xa2\t assessing the data transfer methods included in the state wage match\n      agreements.\n\nThis audit was conducted in accordance with generally accepted government\nauditing standards applicable to the objective. We performed the fieldwork at the\n RRB headquarters in Chicago, Illinois from November 2006 through February\n2007.\n\n                              RESULTS OF AUDIT \n\n\nSubsequent to the loss of state wage match data in September 2006, the RRB\nimproved controls over the transmission of this data. Based on the RRB\xe2\x80\x99s\nactions, we conclude that controls for transmitting state wage match data provide\na reasonable assurance that such data is secure. The RRB can, however, take\nadditional actions to further improve controls. Details on the loss of state wage\nmatch data, RRB actions to improve controls, and areas in which additional\nimprovements can be made are presented below along with our\nrecommendations.\n\nUntil September 2006, the Office of Programs conducted the majority of the state\nwage matches by mailing unencrypted data tapes in padded envelopes to the\nmatching participants. The RRB sent paper documents to the state of Hawaii\nand the Commonwealth of Puerto Rico. The RRB had exchanged state wage\nmatch data with two states via an electronic transfer of encrypted data. The RRB\nwas in the process of implementing the electronic transfer of encrypted state\nwage match data with one other state. The Office of Programs had performed\nstate wage matches for approximately 17 years without the loss of any matching\ndata.\n\n\n                                        2\n\n\x0cIn September 2006, the State of Minnesota sent the Office of Programs a\npackage containing two state wage match computer tapes. The Office of\nPrograms received the package, but it was torn open and the tapes were\nmissing. The package was a soft bubble wrap envelope. The State of\nMinnesota sent the package by first class mail via the United States Postal\nService. The state wage match agreement with Minnesota did not specify any\nshipping method. The RRB reported the incident to the Department of Homeland\nSecurity, as required by the Federal Information Security Management Act of\n2002, and to the Office of Inspector General for investigation. The tapes have\nnot been found, and there is no indication the data has been misused.\n\nIn conducting an investigation of this loss, the Office of Inspector General met\nwith employees of the United States Postal Service. The Postal employees\nstated that computer tapes should be packaged in boxes. Mail handling\nequipment is known to squeeze hard items out of soft bubble wrap packages.\nOnce disassociated from the packages, the contents may never be delivered to\nthe intended recipients.\n\nSubsequent to the loss of the Minnesota tapes, the Office of Programs and the\nState of Minnesota implemented a secure electronic exchange of encrypted state\nwage match data. In addition, the Office of Programs took the following steps\nwith other matching participants to further protect against the loss of state wage\nmatch data:\n\n   \xe2\x80\xa2\t instructed matching participants to ship data tapes in boxes rather than in\n      bubble wrap packages,\n   \xe2\x80\xa2\t directed the matching participants to ship the tapes via a public carrier\n      who provides electronic receipt and tracking during shipment, and\n   \xe2\x80\xa2\t printed address labels for the data tapes so that they can be delivered to\n      the RRB even if they are separated from the shipping box.\n\nIn addition to these improvements, the RRB should take additional actions to\nfurther improve security. The following sections present areas in which\nimprovements can be made.\n\n\nENCRYPTION AND ELECTRONIC TRANSFER OF DATA\n\nThe RRB can take action to increase the number of states encrypting data and\ntransferring it electronically. The Office of Programs indicated that, five or six\nyears ago, the Bureau of Information Services (BIS) contacted all the matching\nparticipants regarding encryption of state wage match data and use of electronic\ntransmission. At that time, the matching participants did not show significant\ninterest in these methods.\n\n\n\n\n                                         3\n\n\x0cThe Office of Programs has continued to pursue encryption and electronic\ntransmission but with limited success. Program officials indicated that\ncoordinating a change to encrypt data and to transmit it electronically with all\nmatching participants has been a logistical challenge. Implementation of\nencryption and electronic transmission has been difficult due to the complexities\ninvolved. Because the states have different computer systems, various software\nand hardware issues have to be addressed individually. Matching participants\nhave different preferences for implementing the various methods of encrypting\nand electronically transferring data. For example, some states may prefer use of\nan RRB computer server as opposed to using their own server for data transfers.\nIn addition, changing current processing and revising the state wage match\nagreements can involve multiple departments and individuals at the state level.\nThe Office of Programs indicated that it was a major accomplishment to get all\nthe matching participants to use one of three different data layouts for the\ncomputer matching data. Other impediments to change included prohibitive\ncosts of implementing changes, and the RRB having higher priorities over the\nlast few years.\n\nThis environment has changed significantly in the last year. State wage match\ndata was lost. Data was lost by the Veterans Administration and other\ngovernment agencies and these losses were covered in the press raising the\nconcern of both the public and government officials. On October 13, 2006, the\nCommittee on Government Reform issued a staff report on agency data\nbreaches since January 1, 2003. In addition, technology has advanced to the\npoint that the cost of encrypting data and transmitting it electronically is no longer\nprohibitive. At this time, both the RRB and the matching participants may be\nmotivated to implement changes that will improve data security. The Office of\nPrograms, Program Evaluation Section, has established an internal goal of\nimplementing encrypted electronic data transfers with an additional five state\nwage matching participants during Fiscal Year 2007.\n\nHowever, the Office of Programs has not developed a formal plan for increasing\nthe number of participants who encrypt or transfer state wage match data\nelectronically. Without such a plan, the Office of Programs may be missing an\nopportunity to raise the priority for its initiatives within the RRB and to gain the\nsupport of the RRB Executive Committee.\n\nOMB memorandum M-06-16 dated June 23, 2006, Protection of Sensitive\nAgency Information, requires encryption and implementation of National Institute\nof Standards and Technology (NIST) security controls for PII \xe2\x80\x9ctransported and/or\nstored offsite.\xe2\x80\x9d RRB Form G-5 pamphlet dated 1-07, The Railroad Retirement\nBoard\xe2\x80\x99s Rules of Behavior for the General Support Systems, which amends\nAppendix 3 of Administrative Circular IRM-10, End-User Computing: Network\nand Microcomputer (PC) Management, requires encryption for PII stored on\nremote systems, mobile devices, and removable storage media.\n\n\n\n\n                                          4\n\n\x0cRecommendation\n\nWe recommend that the Office of Programs establish a formal plan with short-\nterm and long-term goals for encrypting and transferring data electronically with\nstate wage match participants. (Recommendation #1)\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation. The Office of\nPrograms indicated that \xe2\x80\x9cAssessment and Training will coordinate with Policy\nand Systems (P&S) and the Bureau of Information Services (BIS) to develop an\naction plan to propose electronic data exchanges with state agencies. The plan\nwhich will include both short and long-term goals for implementation will be\ncompleted by July 31, 2007.\xe2\x80\x9d The full text of management\xe2\x80\x99s response is included\nas an appendix to this report.\n\n\nSTATE WAGE MATCH AGREEMENTS\n\nThe state wage match agreements do not sufficiently address the data\ntransmission methods. When the RRB initiated the state wage match program in\nthe early 1990\xe2\x80\x99s, it developed a standard agreement that most, if not all,\nmatching participants could accept. Currently, 43 of the 50 matching participants\nperform the state wage matches under the terms of the standard agreement.\nThe remaining seven matching participants have made other agreements with\nthe RRB for the state wage matches. The RRB refers to these agreements as\nnon-standard agreements. They generally have requirements that are more\nextensive than the standard agreements. The majority of non-standard\nagreements (six of seven) include electronic encryption options in accordance\nwith NIST standards.\n\nThe standard agreements do not include methods for shipping the data tapes\nand six of the seven non-standard agreements provide that data tapes be sent by\nfirst class mail in padded envelopes. That is the shipment method that resulted\nin the loss of the State of Minnesota tapes. The Office of Programs has\nsignificantly increased physical security over state wage match data tapes by the\nuse of boxes, padded packaging, tracking, and return receipt. The agreements\nshould be updated to reflect these changes.\n\nThe RRB is currently electronically exchanging encrypted state wage match data\nwith three states and is in the process of implementing a similar exchange with\none more state. The RRB has standard wage match agreements with all four of\nthese states. The RRB has not updated these agreements to reflect the change\nfrom the use of data tapes to the current transfer method, i.e. encrypted\nelectronic data transfers.\n\n\n\n\n                                         5\n\n\x0cThe Privacy Act requires that matching agreements include \xe2\x80\x9cprocedures for\nensuring the administrative, technical, and physical security of the records\nmatched and the results of such programs.\xe2\x80\x9d\n\nBy not addressing the current data transmission methods in the agreements, the\nagreements are not current and accurate and internal controls are weakened.\n\nRecommendation\n\n We recommend that the Office of Programs update the state wage match\nagreements to reflect the current transfer methods including security measures\nfor data encryption and electronic data transfer. (Recommendation #2)\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation. The Office of\nPrograms indicated that Assessment and Training \xe2\x80\x9cwill incorporate wording in the\naddendum previously developed for initiating electronic data transmission\nmethods or in agreement renewals to specify traceable packaging delivery using\na box container. A&T will develop a plan to implement revised agreements by\nJuly 31, 2007.\xe2\x80\x9d\n\n\n\nPOLICIES & PROCEDURES\n\nThe Office of Programs does not have written policies and procedures for the\nstate wage match data transmission process. The Office of Programs has\nprepared some written draft procedures and plans to prepare detailed written\npolicies and procedures.\n\nThe Standards for Internal Control in the Federal Government, published by the\nU.S. General Accounting Office (GAO) in November 1999, require that\n\xe2\x80\x9cManagement and employees should establish and maintain an environment\nthroughout the organization that sets a positive and supportive attitude toward\ninternal control and conscientious management.\xe2\x80\x9d The internal control standards\ndefine internal control as an integral component of an organization\xe2\x80\x99s\nmanagement that provides reasonable assurance that the following objectives\nare being achieved: (1) effectiveness and efficiency of operations, (2) reliability\nof financial reporting, and (3) compliance with applicable laws and regulations.\nInternal control is a major part of managing an organization. It comprises the\nplans, methods, and procedures used to meet missions, goals, and objectives.\n\nThe lack of written policies and procedures for the state wage match process is\nan internal control weakness which can decrease accountability and weaken\nsecurity of the state wage match data.\n\n\n\n                                         6\n\n\x0cRecommendation\n\nWe recommend that the Office of Programs establish target dates for finalizing\nand implementing written policies and procedures for the state wage match data\ntransmission process. (Recommendation #3)\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation. The Office of\nPrograms indicated that Policy and Systems \xe2\x80\x9cwill develop and publish\nprocedures by September 30, 2007.\xe2\x80\x9d\n\n\nTAPE TRANSFER PROCESS\n\nThe Office of Programs has not established uniform policies and procedures for\nmonitoring data tapes during the matching process. The RRB does not use the\ncourier\xe2\x80\x99s tracking system to monitor approximately one-half of the packages sent\nto the matching participants. In addition, the RRB does not contact by phone or\ne-mail approximately one-half of the state matching participants when a package\nis sent. The matching participants do not notify the RRB when matching tapes\nare returned to the RRB.\n\nThe Standards for Internal Control in the Federal Government, require that\n\xe2\x80\x9cManagement and employees should establish and maintain an environment\nthroughout the organization that sets a positive and supportive attitude toward\ninternal control and conscientious management.\xe2\x80\x9d Internal control comprises the\nplans, methods, and procedures used to meet missions, goals, and objectives.\nThe possession of clear and concise written policies and procedures is an\ninternal control activity which will help ensure that data tapes are adequately\nmonitored during the data transmission process. The lack of written policies and\nprocedures for the state wage match process has contributed to this condition.\n\nInternal controls are weakened if the RRB does not have a formal procedure for\ntracking state wage match data tapes and delayed or lost tapes may not be\nidentified in a timely manner.\n\nRecommendation\n\nWe recommend that the Office of Programs establish policies and procedures for\nmonitoring state wage match data tapes shipped to and from the matching\nparticipants. (Recommendation #4)\n\nManagement\xe2\x80\x99s Response\n\n\n\n\n                                       7\n\n\x0cThe Office of Programs concurs with the recommendation. The Office of\nPrograms indicated that \xe2\x80\x9cthe employees involved have already been directed to\nmonitor the shipping of these tapes to and from the states. The process will be\nformalized when uniform procedure is published by September 30, 2007.\xe2\x80\x9d\n\n\nTAPE MONITORING RECORDS\n\nOffice of Programs\xe2\x80\x99 records for monitoring and tracking the location of state wage\nmatch data tapes do not sufficiently account for the temporary storage of tapes\nand do not document a complete history of tape activities.\n\nAfter the matches have been completed, the matching participants send two\ncategories of tapes to the Office of Programs. The first are the input tapes that\nthe Office of Programs sent to the matching participants. The second are the\noutput tapes that the matching participants produce with the match results. Upon\nreceipt, the Office of Programs holds the input tapes in temporary storage and\nforwards the output tapes to BIS for computer processing of the state wage\nmatch data. Occasionally BIS is unable to immediately process the output tapes\nand the Office of Programs will hold them in temporary storage. After the\ncomputer processing output is received, reviewed, and accepted, the Office of\nPrograms sends the input tapes to BIS where the data is erased from both the\ninput and output tapes.\n\nOffice of Programs\xe2\x80\x99 employees do not record, in the tape monitoring records, the\nremoval of data tapes from temporary storage. In addition, an employee\noccasionally overwrites the dates that tapes are received, processed, etc., with\nthe processing dates of other tapes. The Office of Programs manually tracks\napproximately one-half of the tapes and tracks the remainder in an electronic\nspreadsheet. The lack of written policies and procedures for the state wage\nmatch process has contributed to this condition.\n\nNot accurately documenting tape activity could hinder the detection and\ninvestigation of a lost tape. Properly accounting for the temporary storage of\ntapes and the movement of tapes ensures the protection of both the data tapes\nand the personal information contained on them.\n\nRecommendations\n\nWe recommend that the Office of Programs:\n\n   \xe2\x80\xa2\t establish procedures that will ensure the tape monitoring records are\n      current, complete, and accurate; (Recommendation #5) and\n   \xe2\x80\xa2\t establish procedures to track all data tapes electronically to ensure\n      consistent records are maintained. (Recommendation #6)\n\n\n\n\n                                        8\n\n\x0cManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendations. In response to\nrecommendation #5, the Office of Programs indicated that \xe2\x80\x9cthe employees\ninvolved in handling these tapes have already been directed to maintain current\ncomplete and accurate records of the process of monitoring the shipping of the\ntapes. The documentation requirement will be formalized when uniform\nprocedure is published by September 30, 2007.\xe2\x80\x9d In response to recommendation\n#6, the Office of Programs indicated that \xe2\x80\x9cthe employees involved in handling\nthese tapes have already been directed to track control of tapes until they are\nplaced in control of BIS hands. The process will be formalized when uniform\nprocedure is published by September 30, 2007.\xe2\x80\x9d\n\n\n\n\n                                      9\n\n\x0c                                                                                          Appendix\n\n\n\n\n-TO;:.                      Henrietta Shaw\n                  :         Asdstant Inspector Get!\n..?PWM:                 '   Catherine A. Ceyser\n              .             Director of.Assessrn\nTEROUGH?            Dorothy isherwood           tb)-.\n    i    .        . Direotor.of Prograuns                               \\.\n                                   ..   .\n\n                  , ;   .DM ~ d p a r t ~\n                         GOptrolS\n                                            -      u of d titate\n                                                            ~ wage ~atch..~irta\n                                                               .   .'       T-RI~MO~\n\n                                                    .   .\n\n                                                                                  .   .\n                   Wer~end,htthe~of~rngrams&~ishaf6imelplan~~\nF-mn               shoft4m'and long.tertn, g ~ &for encrypting and transferring data\n                   dectronhlly with state wage match pamipants.\n\nOP Roaponse        We amqw. Assessment and Tmining (A&T) wH1 wordinate withPdby and\n                   Systems (P&S) and the Bwmu of Infomation EteNi~es(81s) to deve5op-an\n                   action plan to propoae electronio data exchanges with state .agendes. The..\n                   plm which will indude bolh short and long-term goals for hnplernentation\n                   Wnl be oornptgted by July 31,2007.\n\n'*~o-           ~ e ~ m ~ a t ~ e ~ d ~ ~ ~ s u ~ d ~ e t h e s t\na               agtwmer@ to 1:efteoZQw mmnt transfer methods hduding security\n              . rnea8UI:gtsfor data enomon and electronic dqta tmmf8T. . .\n\n\nOP Reqe&           We concur. A&T will incorporate wording in the Wendurn p.rdaisly\n                   developed for, initiating eledtronb data transmission method$ Or ,kr\n                   agreement renewals ,to' q m M y traceabte packagin6j:delivery using a: box .\n                   wntainer. A&T wlll~ctevdapa p b to im#fment.'m4geel,agream&$s.Bgr\n                   July.%, 2g7. .\n\x0c                                                                                             Appendix\n\n\n\n             ..      We recommendthat the Office of prog-    establish ,trtrgetdates for\n.   Recortmrsadstion Pnalidng and impleme@ngvvdtlen polldeb and procedures'for the state .\n    3 . I:\n                .    wagematch data t r a n s d n process.\n                                                  - -   .\n\n     WRapo*         .   We &r.       P a will develop' and p u w h pFooedures 6y September 30,\n                        2007.\n\n\n\n    w-dr!tiSn           We p m m e n d that the OMde of Programs e&alAkh polides and.\n    4                   prooedures for monpbrihg @atewage matchdata.tapes shipped to and horn\n                        the rnatohlngpartidparrt9.\n\n    0s-                 .wec a w . he emplojrw invdwd tm* dmady               dhs;Xed to &itor\n         !              the sh,ipp!ng of the* taps:to and from the stam.. T b pmc~sswill be\n                        formalized when uniformprocedure 18 publiehed by September 30,aBo?.\n\n\n\n                        we recommend that me ofaos of pryrams estab~sh'procedura     that will\n    Recommendaaan\n    5                   ensure the tape monbring reoar& are ourrent, complete, ind awnate.\n\n\n    OP R a w -          We .concur. The eqnployees iwohreci in handling these tapes have already\n                        been d i d e d to maintah w m t oomplete and accurate records of the\n                        pr-      of r n o n i t d ~the shipping of the tapes. The dgcummtation\n                        requhqnmt will be formalized when unfform procedure b publisheel by\n                        September 30,207.\n\n\n    lbwmmmh*\n    .6\n                     We rec~mmend    that the Ofhe ~f Programs tptabtieh procedur- to twok dl      .\n                     .data tapes.dedrontcadlyto eqgure consistent r 8 0 0 e . a t e mhinM&.\n                                    '\\\n\n\n\n\n    O p Raspom        We conour. The h p k y e e s invokqd in handlicyl these tapm'ha~     already.\n                      been direetdto ttdlcrk gontrol of tapes u d they are placed in control' of f%S\n                    . hands. The'p r p s s HEifl lie formalized when uniform prowdurn b pubnehed.\n                      by September30,2007.\n\x0c"